The Cisco ISE must be configured to synchronize internal information system clocks using redundant authoritative time sources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-242629 | CSCO-NM-000230 | SV-242629r1168433_rule | CCI-000366 | medium |
| Description | ||||
| The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source. | ||||
| STIG | Date | |||
| Cisco ISE NDM Security Technical Implementation Guide | 2025-12-11 | |||
Details
Check Text (C-242629r1168433_chk)
1. View the status of the Network Translation Protocol (NTP) associations.
show ntp
2. Verify a primary and secondary ntp server address is configured.
If the Cisco ISE is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.
Fix Text (F-45861r1168432_fix)
1. Choose Administration >> System >> Settings >> System Time.
2. Enter unique IP addresses (IPv4/IPv6/FQDN) for the NTP servers.
3. Configure redundant NTP server addresses.
Note: If authentication settings are no longer available, then a DOD-approved solution must be used. Use of MD5 results in a CAT 2 (CSCO-NM-000390) finding since NTP authentication is required. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.